Fair processing (privacy) notice
NHS Kent and Medway Integrated Care Board (ICB) is responsible for the planning and buying (also known as commissioning) of healthcare services in Kent and Medway, bringing the NHS together locally to improve population health and care.
We also monitor the performance and quality of these services. In general we only use data that has been anonymised (identifiable details removed) or pseudonymised for these purposes.
Pseudonymised data/information is anonymous to the people who hold or receive it, for example a research team, but contains information or codes that would allow others, for example those responsible for the person’s care, to identify the person.
This privacy notice tells you:
- who we are
- the type of information (including personal data and special categories of information) the ICB holds and why
- how the ICB uses the information
- who the ICB may share that information with
- how we keep the information, safe, secure and confidential
- how you can contact us regarding your rights.
Full details on each data flow are included in the Record of Processing Activities (ROPA).
The ICB is a controller under the terms of the UK General Data Protection Regulations (GDPR)/Data Protection Act 2018 (the Act). This means we are legally responsible for ensuring all personal information we process, hold, obtain, record, use or share about you is carried out in compliance with data protection principles.
All controllers must register with the Information Commissioner’s Office (ICO). Our ICO Data Protection Register number is ZB346663 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.
Under the General Data Protection Regulations (GDPR) and Data Protection Act 2018, the ICB as a public authority must appoint a data protection officer (DPO). All ICBs must also appoint a caldicott guardian and senior information risk owner (SIRO). Please see the key individuals section below for more information.
We are committed to protecting your privacy and will only process personal, confidential data in accordance with the Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998.
Everyone working for the NHS has a legal duty to keep information about you confidential and comply with the Common Law Duty of Confidentiality. The information we do hold about you is protected from unauthorised access. Under the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
All information we hold about you will be held securely and confidentially. We use administrative and technical controls to do this, such as issuing encrypted secure IT equipment to all staff. We use strict controls to ensure only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.
All of our staff, contractors and committee members receive appropriate and on-going data security awareness training to make sure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
We will only share any information about you with a third party in line with our ROPA. We will only obtain and use the minimum amount of information necessary about you.
Data Protection Officer (DPO)
The ICB’s data protection officer is our Head of Information Governance Information Governance, Dan Clement.
The DPO’s minimum tasks are defined in Article 39 of the GDPR:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed.
Caldicott Guardian
All NHS organisations are required to appoint a Caldicott Guardian to ensure compliance with patient data confidentiality. The ICB’s Caldicott Guardian is our Chief Nurse, Paul Lumsdon, who is responsible for protecting the confidentiality of patients’ and service users’ information and enabling appropriate information sharing.
The Caldicott Guardian plays a key role in ensuring the ICB satisfies the highest possible standards for handling personal information.
Acting as the conscience of an organisation, the Caldicott Guardian supports work to enable information sharing where it is appropriate and advises on options for lawful and ethical processing of information.
Senior Information Risk Owner (SIRO)
In addition to the Caldicott Guardian, the ICB also has a SIRO who owns the ICB’s overall information risk policy and risk assessment process. This involves making sure there are robust incident reporting processes for any information risks identified by the ICB. The ICB’s SIRO is Mike Gilbert, Director of Corporate Services. The Deputy SIRO is Dan Clement, Head of Information Governance.
Your doctor and other health professionals caring for you, such as nurses or physiotherapists, keep records about your health and treatment, the care they have provided, or plan to provide to you, so they are able to provide you with the best possible care.
These records are called your health care record and may be stored in paper form or on an electronic system. They may include:
- details about you, such as your address, date of birth, NHS number, and next of kin
- details of the contacts we have had with you, such as clinical visits
- notes and reports about your health
- records about your treatment and care, results of x-rays, laboratory tests etc.
Your health care records are used for the following reasons:
- by healthcare professionals looking after you to have accurate and up-to-date information to help them decide on any future care you may need
- to make sure accurate and complete information is available, should you see another doctor or be referred to a specialist or another part of the NHS
- to have a good basis for assessing the type and quality of care you have received
- to make sure your concerns can be properly investigated if you need to complain.
The law provides some NHS bodies, such as NHS Digital, the ability to collect and use unidentifiable patient data which they can then provide to help commissioners (ICBs) to design and acquire the combination of services that best suit the population they serve.
Data may be linked and anonymised by these bodies so it can be used to improve health care and development and monitor NHS performance. This is often referred to as a secondary use of data. Where data is used for these statistical purposes, rigorous measures are taken to ensure patients cannot be identified (see information below regarding anonymisation).
For the majority of the ICB's work, we do not need to use personal/confidential data and wherever possible, anonymised data is used.
Anonymised data refers to the process of turning personal and/or sensitive data into a form which does not identify individuals and where identification is not likely to take place. The Data Protection Act 2018 /UK GDPR only applies to personal identifiable information and therefore anonymised data is not covered by the act as there is only a slim, to no, chance of the information being re-identifiable.
We hold information centrally which is used for statistical purposes to allow us to plan the commissioning of healthcare services. We will only use anonymised data for this. Examples include:
- to check the quality and efficiency of the health services we commission,
- to prepare performance reports on the services we commission,
- checking NHS accounts and services,
- working out what illnesses people will have in the future so we can work with local services to make sure patients' needs are met,
- reviewing the care we commission to make sure it is of a high standard.
As the ICB is responsible for funding services, we do not provide any healthcare services and therefore we do not routinely hold medical records or patient confidential data.
There are some specific areas, however, where we do hold and use personal confidential information. In order to process that information we will have met a legal requirement, as follows:
- meeting a legal basis for processing under the Data Protection Act 2018,
- to protect children or vulnerable adults,
- where there is an overriding public interest in using the information, for example, to safeguard an individual, or to prevent a serious crime,
- where there is a legal requirement that will allow us to use or provide information (a formal court order),
- where we have special permission for health or research purposes (granted by the Health Research Authority Section 251),
- for the health and safety of others, for example to report an infectious disease.
The ICB has a limited number of functions, where personal confidentiality is required. Full details of these functions are included in our ROPA .
The GDPR / Data Protection Act 2018 provides the following rights for individuals depending on the legal basis for processing (as identified in the ROPA.):
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- rights related to automated decision making including profiling.
Further information on these rights can be accessed on the ICO website.
If you wish to exercise any of the rights available to you, or to speak to somebody to understand what impact this may have, please contact the Data Protection Officer.
Please go to the subject access requests page for more information.
You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.
If your wishes cannot be followed you will be told the reasons (including the legal basis) for that decision. This includes situations such as to fulfil our safeguarding obligations and any areas where we have legal obligations to share your information.
If you wish to exercise your right to opt-out, or to speak to somebody to understand what, if any, impact this may have please contact the Data Protection Officer at kmicb.dpo@nhs.net.
Whenever you use health or care services important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and shared with other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
All these uses help to provide better health and care for you, your family and future generations. However, the National Data Opt-Out (NDOO) was introduced on 25 May 2018 and allows patients to opt out of their confidential information being used beyond their direct care for certain research and planning purposes. All NHS organisations in England must comply with the National Data Opt-Out from 30 September 2020.
Essentially this means that NHS Kent and Medway ICB must always check whether any purpose for which it uses or shares patients’ personal information is one to which the NDOO applies. Where it is, the ICBs will need to identify those patients that have opted out and exclude their information from use.
It should be noted that the NDOO does not apply in all circumstances of data sharing, e.g. where patients have explicitly consented to share their data, and the use of aggregated or anonymised data.
For the majority of the ICB's work, we do not need to use personal/confidential data. The applicability of the NDOO is therefore limited for the data processing carried out by the ICB.
Please see this National Data Opt Out application to ICB data flows. This is a breakdown of when the ICB does use personal/confidential data and whether the NDOO applied to that data processing.
Additionally, there is a type 1 opt out that prevents information being shared outside of a GP practice for purposes other than direct care. Some patients will have a type 1 opt-out registered with their GP practice, which indicates they do not want their confidential patient information leaving the practice for research and planning purposes. These existing type 1 opt-outs will continue to be respected until the Department of Health and Social Care conducts a consultation with the National Data Guardian on their removal: further information on the types of data opt out.
In order to ensure we maintain compliance with the NDOO, NHS Kent and Medway ICB will continually monitor its uses of confidential patient data to ensure that any to which the NDOO is likely to apply are identified as quickly as possible. This is done via the ICB’s work on Information Asset review.
To find out more or to register your choice to opt out, please visit nhs.uk: your data matters. On this web page you will also:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
Retention
Any information obtained by the ICB will be retained for as long as is necessary for the purpose we collected it for.
Records are kept in accordance with Data Protection Act 2018 principles and are maintained in line with the Records Management Code of Practice for Health and Social Care retention schedule which determines the length of time records should be kept.
Destruction
Destruction of data will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities to:
- ensure information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a reputable confidential waste company that complies with European Standard EN15713,
- ensure electronic storage media used to hold or process information are destroyed or overwritten to current CESG standards,
- retain copies of all relevant overwriting verification reports and/or certificates of secure destruction of NHS information at the conclusion of the contract (where we have contracted with external organisations to do this for us),
- ensure any arrangement made to sub-contract secure disposal services from another provider, complies with clause GC12 of the NHS Standard Contract and with assurance that the sub-contractor’s organisational and technical security measures comply with the Data Protection Act 2018.
This notice is not exhaustive, however, we are happy to provide any additional information or explanation needed.
Requests for this should be sent to the Data Protection Officer, Dan Clement at kmicb.DPO@nhs.net.
NHS Kent and Medway ICB
Gail House, Lower Stone Street
Maidstone
ME1 6NB
01634 335020
For independent advice about data protection, privacy and data-sharing issues, or to make a complaint about how your data is used and processed, you can contact:
The Information Commissioner
Wycliffe House, Water Lane,
Wilmslow, Cheshire SK9 5AF
Phone: 08456 30 60 60 or 01625 545745
www.ico.org.uk
Reviews and changes to this page
We will keep our privacy notice under regular review. This privacy notice was last reviewed in December 2023.